[Esapi-user] [Esapi-dev] 2 ESAPI Bounties created on Bountysource

Chris Schmidt chrisisbeef at gmail.com
Fri Jan 30 05:50:26 UTC 2015


I'm a little late to the party here, but as far as I am concerned - neither
Kevin nor Myself is eligible to collect a bounty. It would be a pointless
exercise and an abuse of funds to do so.

Thanks Kevin and Fabio for driving this forward - I look forward to seeing
the contributions we get back (hopefully!)

On Wed, Jan 28, 2015 at 10:13 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
wrote:

> On Wed, Jan 28, 2015 at 7:46 AM, Magno Logan <magno.logan at owasp.org>
> wrote:
> >
> > Hi there,
> >
> > I have to agree with Jim on this one. I see no relevant point to limit
> the
> > amount of users that can try and get the bounty. No one at OWASP has
> > privileged information, everything is open and I think so should be the
> > bounty. Why me as an OWASP leader wouldn't be eligible to get the bounty?
> > That would, as Jim said, limit the amount of people that would be
> allowed to
> > do it and evidently lead to a delay in the completion of this issue.
>
> Mango and Jim,
>
> First, thank you both for openly sharing your dissenting views in a
> civil manner.
> That's one of the things that I really like about the OWASP community.
> However,
> I think there is some misunderstanding here. I was not proposing that
> either of you,
> as OWASP leaders should not be eligible for the ESAPI Bountysource
> bounties.
> Nor do I believe that my proposal will significantly reduce the number of
> potential participants.
>
> What I am advocating was that the *ESAPI* project leaders (which would be
> myself and Chris Schmidt) not be eligible to receive the bounties.
> Fabio also suggested and I concur, that the OWASP *global* board also be
> excluded.
>
> But perhaps more important than understanding _what_ I was advocating is
> understanding _why_ I was suggesting this.
>
> One vital piece of information that everyone may be missing--at least
> in the specific case of these ESAPI bounties--is that I am set up as
> the sole approver of awarding these bounties. Not only am I responsible for
> determining which submission is the best, but I am also responsible
> for determining which bugs get awarded some fixed amount of dollars.
> (Note: I'd prefer something more like a vote by small committee to
> do these things, but short story, that's just not the way things worked
> themselves out. If someone else wishes to help run / judge this, drop
> me an email off-list.)
>
> I know that most of us on this list want OWASP to remain above reproach.
> Since we are a non-profit, reputation is one of the very few things that
> are really important to us all.
>
> So, what would happen if a OWASP project leader who also
> happened to approve bounties cherry picked some bugs
> that maybe he or she was already working on or required such
> expertise that only s/he could complete it. Then that person submits
> their own bug fix and maybe after waiting awhile for other
> submissions, approves their own fix for the bounty.
>
> Do you really think that wouldn't raise some eyebrows, not
> only within the OWASP community, but outside of it as well?
>
> Note that I am *NOT* trying to say that any specific OWASP project
> leaders would actually think of enriching themselves in
> such a manner, but why open things up to temptation? At the VERY
> LEAST I think we need to exclude anyone who approves the
> bounties from participating in THOSE bounties. That is,
> avoid even the *appearance* of any conflict of interest. Is
> this not what we expect om how non-profits should operate?
>
> Knowing how much we all care about protecting the OWASP brand
> and OWASP's reputation, I went back and rethought this through
> and realized that perhaps most of you didn't realize that it was
> me who was approving the ESAPI Bountysource bounties. (If
> it had been Fabio instead who had this responsibility, perhaps
> that would be different.) But I just think it is a bad idea
> if we allow OWASP members to be put into a situation where they
> are tempted to compromise and thus tarnish OWASP's reputation.
> This is at the essence of why we have separation of duties.
> If we compromise here, do we allow people to approve their own
> OWASP related expense vouchers? Where would it all end. IMO,
> best to stay away from that slippery slope altogether.
>
> I am not suggesting that Mango, as project leader of some other
> OWASP project, should be ineligible for the ESAPI Bountysource
> bounties. But if you were in the position that I find myself in, it would
> would hardly surprise me if you also chose to recuse yourself
> from being eligible for any bounties that you administer.
>
> And unless there are a lot of project leaders on a given OWASP
> project, what I have proposed does not significantly reduce the
> number of people eligible to collect the bounties.
>
> So I hope this explanation puts this discussion to bed and the
> discussion can turn more toward answering questions about
> the two issues for which bounties are being offered.
>
> Best regards,
> -kevin
> --
> Blog: http://off-the-wall-security.blogspot.com/
> NSA: All your crypto bit are belong to us.
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>



-- 
Chris Schmidt

OWASP ESAPI Developer
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

Check out OWASP ESAPI for Java
http://code.google.com/p/owasp-esapi-java/

OWASP ESAPI for JavaScript
http://code.google.com/p/owasp-esapi-js/

Yet Another Developers Blog
http://yet-another-dev.blogspot.com

Bio and Resume
http://www.digital-ritual.net/resume.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20150129/32594ea7/attachment.html>


More information about the Esapi-user mailing list